Model-theoretic approach to data anonymity and inference control

ABSTRACT

A system and method for secure data management is presented. The method comprises receiving a query, performing the query and obtaining answers to it, creating certain formulas representing the answers; and determining whether there is a minimum number of distinct models of these formulas conjoined with the relevant anonymity predicates along with previous answers and general background knowledge, and when that number of models does not exist, suppressing the answers. In one aspect, the method further comprises creating formulas encoding the information conveyed by the answer; and combining the formulas encoding the information with prior information.

CROSS REFERENCE TO RELATED APPLICATIONS

The present invention claims the benefit of U.S. provisional patent application 61/482,846 filed May 5, 2011, the entire contents and disclosure of which are incorporated herein by reference as if fully set forth herein.

FIELD OF THE INVENTION

This invention relates generally to secure data management and more particularly to a model-theoretic approach to inference detection.

BACKGROUND OF THE INVENTION

The inference problem in databases (and in social networks too, in a slightly different guise) occurs when sensitive information is disclosed indirectly, via a series of ostensibly secure answers to queries. Even though each individual query answer may be properly authorized for disclosure (i.e., the user's clearance level may permit her to receive the answer), the answers may nevertheless collectively compromise sensitive information, in that the user may be able to infer from these answers information that she is not authorized to have, particularly when she combines the answers with some additional knowledge, e.g., metadata such as integrity constraints or functional dependencies, or domain-specific knowledge.

The problem has attracted a great deal of attention. Most approaches fall into two camps, static and dynamic. Static approaches analyze a database prior to querying and try to detect so-called “inference channels” that could result in inference-based leaks of sensitive information. When such channels are identified, the database is modified in order to eliminate them; typically the security levels of various attributes are raised accordingly. This usually results in over-classification: large portions of the data are classified as sensitive, and overall data availability is thereby decreased, making the database less useful. As a rather simplistic example, consider a database with three attributes, Name, Rank, and Salary. Suppose that we wish to keep secret the association between names and salaries, but we freely disclose the association between names and ranks, and between ranks and salaries. Given a functional dependency Rank→Salary that may be widely known, it is clear that the user could come to infer salaries from ranks. In the static approach, the solution would be to make the Rank a sensitive attribute.

Dynamic approaches, by contrast, attempt to detect potential inferences of sensitive information at query time. If no inference is detected, the regular answer to the query can be released. But if it is determined that potentially compromising inferences could be made on the basis of the answer (and other knowledge, such as previous answers, metadata, etc.), then the answer is not released; it is withheld, or suppressed, or generalized, and so on. Dynamic approaches have the benefit of being considerably more precise than static approaches. On average, data is more available under a dynamic approach because there is no need to be overly conservative ahead of time; protective measures are taken only if and when needed. The main drawbacks of dynamic approaches have been incompleteness and inefficiency. Incompleteness means that only a very restricted class of inferences could be detected; and inefficiency typically means that the detection was computationally expensive.

Given that the issue at hand is information inference, it would appear that logic-based techniques such as theorem proving might be of use. Indeed, theorem proving techniques could be (and have been) used to tackle the inference problem, roughly along the following lines: For any given time point t, let A_(t)={a₁, . . . , a_(t)}, t≧1, be the answers to all the queries that a given user has previously posed (up to time t). Further, let B be a set of background knowledge that the user can be reasonably expected to have. For instance, B could be a set of functional dependencies for the underlying database. Now, let q_(t+1) be a new query, and let a_(t+1) be the answer to it. An inference-blocking information-management system will decline to disclose a_(t+1) if A∪B∪{a_(t+1)}^(|−)p, where p is a sensitive proposition that should not be made available to this particular user (e.g., because her security clearance level is insufficient). Typically p is an atomic proposition that reveals the value of a sensitive attribute for a given individual, such as salary(Tom)=70K  (1.1)

In other words, the new query will not be answered lithe answer could be used, in tandem with previous answers and background knowledge, to deduce some sensitive information item about someone.

There are two main drawbacks to this approach. First, usually there is no single proposition p that we wish to protect but many. For instance, we wish to prevent the disclosure of all sensitive attribute values for all individuals in a given database. At least in principle, there are a couple of ways of handling this problem. First, one might run a theorem-proving procedure such as resolution to completion, deriving not one but very many conclusions from A∪B∪{a_(t+1) }, and then checking to see if any sensitive proposition is among the conclusions. A slightly more targeted approach is to formulate a disjunctive proposition p₁ V . . . V p_(n) containing all the propositions whose secrecy we wish to maintain under the circumstances, and check whether A∪B∪{a _(t+1) }|−p ₁ V . . . Vp _(n)  (1.2)

Neither formulation is particularly practical or elegant. But there is a second serious problem, namely, the answer a_(t+1) might amount to a partial information disclosure. That is, it might not allow the user to deduce a particular sensitive proposition such as (1.1), i.e., a specific value for some individual's sensitive attribute, but it may nevertheless provide helpful information in that it might eliminate certain alternatives, thereby narrowing the pool of possible values for the attribute in question. For instance, suppose that we are dealing with a company database and that company rank is a sensitive attribute. Suppose further that company rank is either E, F, G, or H; and that the user knows that the company rank of a certain employee x is either F, G, or H. In reality, it is F. Now if the new query answer allows the user to eliminate H as a possibility, it is clear that it has given her some sensitive information, even though she remains unable to derive the actual database entry, rank (x)=F. The upshot is that a security breach may well occur even though (1.2) does not hold.

SUMMARY OF THE INVENTION

The present invention solves the problems discussed above. The inventive solution comprises a model-theoretic approach to inference detection that allows for a much more natural formulation of the problem and for much finer security-policy specification and inference control. The novel technique models the epistemic state of the user as a set of possible worlds, i.e., as a set of data models. The user's knowledge is expressed in a multi-sorted first-order logic that is propositionalized (restricted to a finite domain) over the database universe, and the models in question are models of this knowledge, in the standard sense of mathematical logic. A new notion of anonymity signatures, introduced herein, allows the precise specification of data associations to be protected, and then for each tuple of values for the so-called “identifying attributes” of an anonymity signature, the user should not be able to distinguish among at least k distinct values for the corresponding sensitive attribute of the signature, where k is a tunable parameter that can be given different values for different anonymity signatures. This is similar to the idea of k-anonymity, but the important difference is that the data itself need not be k-anonymous; rather, the epistemic state of the user should be consistent with at least k distinct values for any given sensitive attribute of any given individual. Thus the inventive technique can be used even if the data itself is not k-anonymous. Hence, partial information disclosures can be treated in a model-theoretic fashion, and inference detection can be mechanized and controlled by using efficient model builders to do a form of model counting.

A system for secure data management comprises a CPU and a module operable on the CPU to receive a query, to perform the query and obtain the answer to the query, to create certain formulas representing the answers; and to determine whether there is a minimum number of distinct models of these formulas conjoined with the anonymity predicate along with background knowledge and previous answers; when the required number of models does not exist, suppress the answers. In one aspect, the module of the system is further operable to create formula encoding the information conveyed by the answers; and to combine the formula encoding that information with prior information. In one aspect, the system can further comprise an input device operable to send the query to the CPU. In one aspect, the system can further comprise an output device operable to display the answers from the CPU.

A method for secure data management comprises receiving a query, performing the query and obtaining answers to it, creating a formula in accordance with the answers; and determining whether there is a minimum number of distinct models of that formula (conjoined with the relevant anonymity predicates, previous answers, and general background knowledge), as required by the anonymity signatures; and when that number of models does not exist, suppressing the answers. In one aspect, the method further comprises creating formulas encoding information based on the answers; and combining the formulas encoding information with prior formulas encoding prior answers, as well as certain kinds of general background knowledge.

A computer readable storage medium storing a program of instructions executable by a machine to perform one or more methods described herein also may be provided.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is further described in the detailed description that follows, by reference to the noted drawings by way of non-limiting illustrative embodiments of the invention, in which like reference numerals represent similar parts throughout the drawings. As should be understood, however, the invention is not limited to the precise arrangements and instrumentalities shown. In the drawings:

FIG. 1 is an inventive model-theoretic algorithm in accordance with the present invention.

FIG. 2 is a flow diagram of the inventive method

FIG. 3 is a schematic diagram of the inventive system.

DETAILED DESCRIPTION

What does it mean to say that an agent x does not know the value v of an attribute A? As discussed in detail below, it can mean that there is at least one other value v′≠v such that A=v′ is consistent with what x knows. For example, suppose that A represents the results of a cancer biopsy for Alice, so that there are only two possible values for A: 0 (negative) and 1 (positive). Suppose that the actual value v is 0, i.e., the result is negative. What does it mean to say that x does not know this information? It can mean that there is another value v′, distinct from v, such that A=v′ is consistent with what x knows. In this case, of course, v′=1. Accordingly, to say that x does not know the value of A is to say that A=1 is consistent with what x knows.

Further, suppose that x is a user querying a database and accumulating answers to those queries over time. Write K_(x) to denote the set of all answers that x has received so far, and let B be a set of pertinent background knowledge that x might have a priori (B can be a null set). The answers given to x do not “leak” the value of A if and only if there is some v′ such that K _(x) ∪B∪{A=v′,v′≠v}  (2.0)

is consistent, that is, satisfiable. Therefore to determine whether the answers reveal the value of A one can try to find a model for the set (2.0)

We define an information system S as a finite set of objects

and a finite set of attribute names (or simply attributes)

We call

the universe of S. We use the letters u and A as variables ranging over

and

, respectively. Associated with each attribute name Aε

is a unique computable domain of values V(A), the set of values for the attribute A. We write

for the union of all V(A), Aε

. We assume that a fixed subset of the attributes are designated as sensitive; these are the attributes whose privacy we wish to protect (though this will be refined below). A model or possible world w of an information system is an assignment of a unique value to each attribute and object. More precisely, a possible world of S is a function w:

×

→V with w(A; u)εV(A) for each Aε

uε

. When the world w is obvious or immaterial, we write A(u) as a shorthand for w(A; u).

A possible world of an information system can be depicted in tabular format. Note that only one information system, i.e., one data table is discussed herein. The invention can easily be extended to handle multiple tables. Moreover, a database with multiple tables can be transformed into one with a single “universal” table. Consider the following table:

Name Salary u₁ Tom 50K u₂ Mary 70K u₃ Peter 40K

This table can be viewed as the following possible world:

w(Name, u₁)=Tom, w(Salary, u₁)=50K

w(Name, u₂)=Mary, w(Salary, u₂)=70K

w(Name, u₃)=Peter, w(Salary, u₃)=40K

A state M of an information system S is a non-empty set of possible worlds of S. The term state is meant to invoke the notion of an agent's epistemic state. In particular, the set of worlds in M are all and only the worlds that are considered possible on the basis of what is known by the agent in question. We need to model the user's epistemic state in order to control it properly. When the interaction first starts, the user's state will contain very many possible worlds because the user will be under-informed at that point. As the user obtains more and more answers to her queries, her epistemic state narrows: many possible worlds are eliminated and hence the state's information content increases. Essentially, we want to ensure that the epistemic state doesn't narrow too much along the sensitive dimensions. The objective, in other words, will be to ensure that at any given time during the interaction, the user's state has several possible worlds of a certain kind in it. This will be made precise below.

The syntax and semantics of a logic for reasoning about information systems (such as database tables) is now presented. We will be concerned with a first-order language L consisting of a finite set of sorts S, where S contains a distinct sort ind (for the universe of the information system) along with m distinct sorts a₁; :::; a_(m), where each a_(i) corresponds to an attribute name. For each sort sεS, the language also contains a (possibly empty) collection of constant symbols, C_(s). We write c_(s) as a typical constant of sort s. The language has a number of sorted function and relation symbols. Each function symbol has a unique sort profile associated with it, of the form s₁ x . . . x s_(n)→s, n>0, and each relation symbol also has a unique sort profile, of the form s₁ x . . . x s_(n). There is an identity symbol=^(s) with profile sxs for every sort s. We usually drop the sort superscript and simply write=. At minimum there are m function symbols a₁, . . . , a_(m), where a_(i) corresponds to attribute A_(i) and has profile ind→a_(i). Finally, for each sort s there is a countably infinite set of variables X_(s) of sort s, where for any two distinct sorts s₁ and s₂, X_(s1) and X_(s2) are disjoint. We write x_(s) as a typical variable of sort s. Terms t of sort s are defined as follows: any variable or constant of sort s is a term of sort s; and if t₁, . . . , t_(k) are terms of sorts s₁, . . . , s_(k), respectively, and f is a function symbol with profile s₁ x . . . x s_(n)→s, then f(t₁, . . . , t_(k)) is a term of sort s. Nothing else is a term of sort S. If we wish to emphasize that a term t is of sort s, we may write t_(s) instead of just t. The atomic formulas of this logic are of the form R(t^(s1) ₁, . . . , t^(sk) _(k)) for R with profile s₁ x . . . x s_(k). We also have the usual Boolean combinations, universal quantifications for all x_(s)Φ, and existential quantifications for each x_(s)Φ.

Since the sorts are fixed for a given information system, a language of the kind that is described here is completely determined by its constant, function, and relation symbols. Sort information can be omitted from constants and variables when the sorts in question are either obvious or immaterial. Free and bound variable occurrences are defined as usual. Formulas that are alpha-equivalent are regarded as identical. The notion of substitution is also defined as usual: Φ[t/x] (where both x and t are of the same sort) is defined as the formula obtained from Φ by replacing every free occurrence of x by t, taking care to rename bound variables as necessary to avoid variable capture. (Hence, substitution is properly defined modulo the equivalence classes of alpha-convertibility.) Φ(x₁, . . . , x_(n)) is written for a formula that has x₁, . . . , x_(n) as its free variables.

An interpretation I for such a language is given with respect to an information system S=(

·

). In particular, the sort ind is mapped to the universe

, while each sort a_(i) is mapped to V(A_(i)). We write s^(I) for the set that interprets the sort s. Constants are interpreted as usual: each constant c_(s) is mapped to a unique element c^(I) in s^(I). A function symbol f: s₁ x . . . x s_(n)→s is assigned a corresponding function f^(I): s₁ ^(I)x . . . x s_(n) ^(I)→s^(I). This means that each attribute symbol a_(i): ind→a_(i) is mapped to a unique function a_(i) ^(I):

→V(A_(i)). Also, each relation symbol R with profile s₁ x . . . x s_(n) is interpreted by a unique relation R^(I)

_s^(I) ₁ x . . . x s^(I) _(n). The interpretation of each equality symbol=^(s) is always the identity relation on s^(I).

A variable assignment ρ for an interpretation I is a functional finite set of ordered pairs of the form (x_(s); v) where vεs^(I). We write ρ [x_(s)|→v], for vεs^(I), for the assignment that is identical to ρ except that it maps x_(s) to v; and we write ρ [x₁|→v₁, . . . , x_(n)|→v_(n)], as a shorthand for ( . . . (ρ[x₁|→v_(1])) . . . ) x_(n)|→v_(n)]. Also, [x₁|→v₁, . . . , x_(n)|→v_(n)] is understood as φ[x₁|→v₁, . . . , x_(n)|→v_(n)]. We use this notation for any finite function, not just for variable assignments. The denotation of a term t with respect to a given interpretation I and assignment ρ, denoted I_(ρ)(t), is defined by structural recursion: if t is a constant symbol c, then I_(ρ)(t)=c^(I); if t is a variable x, then I_(ρ)(t) is the value assigned to x by ρ, viewing the latter as a function (we assume that x is in the domain of ρ); and if t is of the form f(t₁, . . . , t_(n)), then I_(ρ)(t) is f^(I)(I_(ρ)(t₁), . . . , I_(ρ)(t_(n))).

We write I|=ρ Φ to mean that the interpretation I satisfies the formula Φ with respect to ρ. This satisfaction relation is defined by the usual structural induction. We say that I satisfies ρ, written I|=Φ, iff I|=ρΦ for every assignment ρ.

We have seen that an interpretation I is given with respect to an information system S. Yet only some parts of I are truly dependent on the given S, while others are invariant across many different information systems. For instance, if the language contains the integers as a sort and the less than (<) relation on them as a relation symbol, then the interpretation of that sort and the corresponding relation presumably do not change across different information systems. If we factor out these invariant parts, we may then understand an interpretation I as encoding a possible world w of an information system. That is, the truly important parts of I are the functions a^(I) _(i), that map each object u in the underlying universe to a particular attribute value in V(A_(i)). This fixes a data table for the underlying system. Thus, we may understand an interpretation as a possible world of the underlying information system, writing, e.g., w|=ρΦ to mean that the interpretation I corresponding to w (obtained from w in tandem with the invariant parts, such as the relations and functions corresponding to symbols such < and +) satisfies Φ with respect to ρ. And if M is a state (a collection of models), we will write M|=ρ Φ to mean that w|=ρ Φ for every wεM. Likewise, M|=Φ will means that M|=ρ Φ holds for every ρ. Assuming a fixed invariant part for I, we understand a model for a formula Φ(x₁, . . . , x_(n)) as a pair (w, (v₁, . . . , v_(n))) consisting of a world w as well as values v_(i) from the appropriate domains for the variables x₁; :::; x_(n), such that w|=[_(x1|→v1, . . . , xn|→vn)]Φ(x₁, . . . , x_(n)).

In what follows we will assume a unique naming convention to the effect that for any language L associated with an information system S; for any element zε

∪

; and for any interpretation I of L; L contains a unique constant symbol z (of the appropriate sort) whose denotation under I is z, i.e., z^(I)=z. Finally, for any formula Φ and finite set Σ of constants of sort ind, we define the propositionalization of Φ with respect to Σ, written Φ|Σ, as the formula obtained from Φ by skolemizing all existential quantifications, followed by expanding every universal quantification ∀x_(ind)Ψ into the conjunction of all Ψ[c/x_(ind)], for cεΣ.

For a given (fixed) information system S, an anonymity signature for S is an ordered pair ((A ₁ , . . . ,A _(p)),A)  (EQ1)

where (A₁, . . . , A_(p)) is a sequence of attributes S and A is a sensitive attribute of S. We refer to A₁, . . . , A_(p) as the signature's identifying attributes and to A as the signature's sensitive attribute. Intuitively, a sequence of values v₁, . . . , v_(p), with v_(i)εV(A_(i)), either uniquely identifies art individual or makes it very likely that an individual can be identified, perhaps with the aid of additional information. For instance, a combination of a name and a social security number would uniquely identify any individual working in the United States. But as shown in other works, there are other combinations of attributes, which, while not necessarily uniquely identifying by themselves, would typically make it very easy to identify an individual when augmented with some publicly available external information. For instance, armed just with a zip code, gender, and a birth date, we can often (around 87% of the time) uniquely identify any individual in this country. Our definition of anonymity signatures is flexible enough to handle any sequence of attributes deemed to be identifying attributes. The objective is that for any tuple of values (v₁, . . . , v_(p)) given for the identifying attributes A.₁, . . . , A_(p) in a signature of the form (EQ1), the user should not be able to determine the corresponding value for the sensitive attribute of A.

By taking advantage of the logic we specified above for a given language L, we can allow for a more flexible form of anonymity signature: we can define an anonymity signature as a triple instead of a pair, where the first two elements are as before, except that they are now expressed more formally as attribute sorts, and the third new element is a formula (I)(x) of one free variable ranging over ind: ((s₁, . . . , s_(p)); s; Φ(x)). The idea here is that we only wish to protect the value of the sensitive attribute s (for a given tuple of values for the identifying attributes) for those individuals x for which Φ holds. Suppose, e.g., that we have attributes Job and Salary, and we wish to protect the relationship from Job to Salary but only for managers. We can specify this with the following anonymity signature: ((job); salary; job(x)=manager) where job and salary are attribute sorts; job is an attribute function symbol; and manager is an attribute value. We can now define an anonymity policy for an information system S as a finite set of anonymity signatures of the above form, expressed in some logic L for S. To make policies more flexible, we may assume that each anonymity signature has a unique positive integer k associated with it.

A novel algorithm for inference control is now described and shown in FIG. 1. In this algorithm, fix an information system S, a language L (as specified above), and the invariant part of some interpretation I for L. We now describe the inventive, general algorithm for inference detection and control. First, some notational conventions: For any n terms t₁, . . . , t_(n) of the same sort, we define distinct(t₁, . . . , t_(n)) as the conjunction stating that any two terms t_(i) and t_(j) with i≠j are distinct. Also, in what follows w₀ will refer to the “real world,” namely, the world corresponding to the actual database. Although the user does not have direct access to that world, our algorithm does, and we take advantage of that fact. By a constant mapping z we mean a finite function from constant symbols of sort ind to the universe

of S. Our unique algorithm will maintain a dynamically growing set of such constant symbols C and a corresponding mapping τ:C→

.

Next, let σ=((a₁, . . . , a_(p)),a, Φ,(x)) be an anonymity signature, and let c be a constant symbol in C. We define N_(σ)(c, τ) as follows:

${N_{\sigma}\left( {c,\tau} \right)} = {{{\varnothing\left\lbrack {c/x} \right\rbrack}\overset{p}{\underset{i = 1}{⩓}}{a_{i}(c)}} = \overset{\_}{w_{0}\left( {A_{i},{\tau(c)}} \right)}}$

where c is in the domain of τ (A_(i) is the attribute name in

corresponding to the function symbol a_(i)). We call N_(G)(c, τ) the identifying sentence for c, w, r, t, σ, τ. Our novel algorithm is parameterized over a finite set of formulas B containing a priori or background knowledge about the database, which must be consistent with the real world.

A key part of the algorithm is step 6 of FIG. 1, where we compute what we call the existential and universal “closures” of the query answer. Intuitively, these closures capture the logical content of the query answer, A; we explain them with the aid of an example. Consider a database called Personnel with the following contents:

Name Age Salary Job u₁ Albert 28 50K Receptionist u₂ Betty 25 60K Engineer u₃ Calvin 35 70K Engineer

Now consider the following SQL query:

Select Name, Age

from Personnel

where Age<30;

The answer to this query is a set of tuples, namely, (Albert, 28) and (Betty, 25). As indicated in step 5 in FIG. 1, we introduce fresh constant symbols to refer to the individuals corresponding to the tuples in this answer. In this case, since we have two tuples, we introduce two fresh constants, let's say c₄ and c₅, with c₄ corresponding to u₁ and c₅ to u₂ (we keep track of this correspondence in the mapping τ). This answer conveys or tells us, in logical terms at least the following two things. One, there are two individuals in the information system, one whose name is Albert and whose age is 28; and one whose name is Betty and whose age is 25. Since c₄ and c₅ are (fresh) names for these individuals, we can express this information by the following conjunction: name(c ₄)=Albert^age(c ₄)=28^ name(c ₅)=Betty^age(c ₅)=25

We call this the existential closure of the answer. We write EC(A) to denote the existential closure of any query answer A.

Two, the answer also tells us that these are the only individuals whose age is less than 30. More precisely: ∀x _(ind): age(x _(ind))<30

x _(ind) =c ₄ V x _(ind) =c ₅

We call this the universal closure of the answer. Since we do not want to have unrestricted quantifiers in our formalization, we propositionalize this closure by replacing x_(ind) by every constant symbol previously introduced by our algorithm. For instance, suppose that the previously introduced constants are c₁, c₂, and c₃. Then the universal closure of this answer will be expressed by the following three formulas: age (c_(i))<30

c_(i)=c₄ Vc_(i)=c₅, i=1, 2, 3. In general, for any two sets of constants C and C′ and any selection condition Φ, we define

${{UC}\left( {C,\varnothing,C^{\prime}} \right)} = \left\{ {{\left. {\varnothing(c)}\Rightarrow \right.\underset{c^{\prime} \in C^{\prime}}{⩔}\; c} = {c^{\prime}❘{c \in C}}} \right\}$

The set C can be thought of as containing all previously introduced constants (for previous query answers), while C′ can be viewed as the set of new constants (corresponding to the latest query answer).

Thus, with every new query answer, the user's slice of the universe keeps expanding—new constant names are introduced to denote the individuals corresponding to the answer's tuples. (Some of these new constants, of course, might denote individuals named by previously introduced constants.) The reasoning modeled by our algorithm is carried out with respect to this dynamically expanding universe. This restriction to a finite (but dynamically expanding) slice of the universe makes the algorithm practical. The restriction is sensible because the user reasons about the information that she has received, which pertains only to the individual tuples in the query answers.

It should be noted that both loops in the algorithm are essentially constant-time. First, on step 8 in FIG. 1: in practice there is often only one anonymity signature of interest, so this outer loop will often be executed only once. Then, on the third step inside step 8 (“For j=k”): This inner loop will be iterated only k−1 times. In particular, if k=2, then the loop will only be executed once. Thus, if there is only one anonymity signature with degree k=2, there will be no iteration at all—the procedure becomes a straight-line algorithm in that case. The ease k=2, in fact, corresponds essentially to the theorem-proving formulation.

Note the importance of naming: the presence of the identifying sentence N_(σ)(c, τ) in the definition of the anonymity predicate ψc(x)≡

N _(σ)(c,τ)

[a(c)=x

x≠ w_(o)(A,τ(c))]

is significant, because we do not want to preclude the release of a sensitive attribute value as long as the corresponding individual is not identifiable.

The correctness of the algorithm is perhaps easier to see in the case of k=2. Let us say that a model-finding algorithm is sound iff it never produces an incorrect answer, namely: if it claims that a given set of formulas has no model, then the set in question is indeed unsatisfiable; and if it outputs a putative model for a given set of formulas, then that answer is indeed a model for the given formulas. And such an algorithm is complete iff it always terminates and produces an output, for any given (finite) set of formulas.

Theorem 1: Assume there is only one anonymity signature a with degree k=2, and assume the algorithm in FIG. 1 uses a sound and complete model finder in step 8. Then the variable violations becomes true iff the value of the sensitive attribute for at least one individual in the query answers has been leaked, i.e., iff there is a constant cεC such that B∪Γ|=N _(σ)(c,τ)

a(c)= w _(o)(A,τ(c))

PROOF: In one direction, suppose that violations becomes true for some query. Since k=2, the loop variable j=2 in step 8 of FIG. 1 must have only assumed the value 2, which means that the model finder was unable to find a model for B∪Γ∪{Ω(x ₁ , . . . ,x _(n))}  (3)

By the model finder's soundness, it follows that (3) is unsatisfiable, which is to say that B∪Γ|=

Ψ(x ₁ , . . . ,x _(n))  (4)

But Ψ is just a conjunction of Ψ_(ci) for i=n, where n is the total number of constant symbols introduced up to that point. Hence, by (4) and DeMorgan's we get B∪Γ|=for each i=1 . . . n,

Ψ _(ci)(x _(i))  (5)

Therefore, there is some iε{1, . . . , n} such that B∪Γ|=

Ψ _(ci)(x _(i))

and this, in turn, means precisely that B∪Γ|=N _(σ)(c _(i),τ)

a(c _(i))= w _(o)(A,τ(c _(i)))

The converse direction is immediate: if (6) holds for some c_(i) then B∪Γ∪Ψ_(ci)(x) is unsatisfiable for some i, hence B∪Γ∪Ψ(x₁, . . . , x_(n)) is unsatisfiable. Therefore, by the model finder's completeness and soundness, it follows that the attempt to find a model on step 8 will fail, and therefore that violations will be set to true.

Both the result and the proof generalize to any number of anonymity signatures and any k>1: violations becomes true iff, for some cεC, there are fewer than k−1 models for B∪Γ∪{Ψ_(c)(x)} assigning distinct values to x.

Of course, there is no sound and complete model-finding algorithm for unrestricted first-order logic, so, as given, the procedure in FIG. 1 is not quite mechanically computable. However, there are sound, complete, and highly efficient model finders for quantifier-free fragments of first-order logic combining various useful theories that arise in practice. Such a model-finder would be more than complete enough for practical purposes, since most queries encountered in practice are expressible in such a fragment, including statistical queries such as sums, counts, and averages. A look at step 8 in FIG. 1 shows that a model finder is invoked on

$B\bigcup\Gamma\bigcup\left\{ {{\psi\left( {x_{1},\ldots\mspace{14mu},x_{n}} \right)} ⩓ \underset{i = 1}{\overset{n}{⩓}}\underset{j^{\prime} < j}{⩓}{x_{i} \neq v_{{ij}^{\prime}}}} \right\}$

From this input, only B, in general, may not be quantifierless. However, for most sets of background knowledge that arise in practice, such as functional dependencies and integrity constraints, B can be propositionalized in a way that makes it amenable to SMT model finding, by computing Φ |C for every ΦεB.

FIG. 2 is a flow diagram of the inventive method. In step S1, receive a query. In step S2, perform the received query and obtain an answer to the query. In step S3, create a formula representing the answer. In step S4, determine whether a minimum number of distinct models exist. Note that these distinct models are models of the formula conjoined with relevant anonymity predicates, previous answers and background knowledge in accordance with anonymity signatures. When the minimum number of distinct models do not exist (S4=NO), then suppress the answer in step S5. Otherwise (S4=YES), provide the answer in step S6.

FIG. 3 is a schematic diagram of an embodiment of the inventive system. In this embodiment, the system comprises a computer having a CPU 10, an input device 12 an output device 14, a module 16 executable by the CPU 10, and one or more databases 18. Multiple modules can exist in the system. The input device can be a mobile device, a laptop computer or any other such device. The output device can be a monitor, a laptop computer or any other such device.

The system can operate as follows. Using the input device 12, a user can input a query to the computer. The module 16 can perform, on the CPU 10, the query and the inventive algorithm described above and shown in FIG. 1. The module can return the output, if appropriate, to the output device 14.

An example of the inventive algorithm is now presented. In the exemplary embodiment, the model finder is the Yices SMT Solver Tool. The example revisits the Personnel database shown above. We first introduce a domain Ind for the universe of the information system, and datatypes Name and Job of the different names and jobs that appear in the database:

(define-type Ind)

(define-type Name (datatype Albert Betty Calvin))

(define-type Job (datatype Receptionist Engineer))

Now attribute functions are introduced that give the age, name, salary and job of a given individual.

(define age::→Ind int)

(define name::→Ind Name)

(define salary::→Ind int)

(define job::→Ind Job)

Assume the association between names and salaries is to be protected, so suppose there is one anonymity signature ((Name), Salary, true) with a degree of anonymity k=2. Suppose the user starts the interaction by making the following query Q:

Select Name, Age from Personnel where Age<30

Thus, the selection condition here is Φ_(Q)(x)=age(x)<30. The answer to this query returns the two tuples (Albert, 28) and (Betty, 25). Two fresh constants c₁ and c₂ can be introduced to refer the individuals corresponding to these tuples, with the mapping τ={c₁→u₁, c₂→u₂}, and assert that these are distinct: (assert (not (=c1c2))). Then assert the existential closure of this answer:

(assert (and (=(name c1) Albert)

-   -   (=(age c1) 28)     -   (=(name c2) Betty)

(=(age c2) 25)))

Since there are no previously introduced constants, there is no universal closure for this answer. Thus, we have now reached step 8 (in FIG. 1) of the algorithm, and we proceed to construct the anonymity predicates for c₁ and c₂. The anonymity predicate for c₁ is as follows: Ψ_(c1)(x)≡

N _(σ)(c ₁;τ)

[salary(c ₁)=x^x≠50]

where N_(σ)(c₁τ)≡name (c₁)=Albert, and hence Ψ_(c1)(x)≡name(c ₁)≠Albert

[salary(c ₁)=x^x≠50]

Likewise, the anonymity predicate for c₂ is: Ψ_(c2)(x)≡name(c ₂)≠Betty

[salary(c ₂)=x^x≠60].

Accordingly, the total anonymity predicate Ψ(x₁, x₂) is the conjunction of name(c ₁)≠Albert

[salary(c ₁)=x^x≠50] and name(c ₂)≠Betty

[salary(c ₂)=x^x≠60].

Moving to the last part of the algorithm, since in this case k=2, all we now need to do is to find a model for Ψ(x₁, x₂). The model finder succeeds with the following result: (=x1 62), (=x2 61). This means that, for all the user knows at this point, the salary of c₁ (Albert) could be 62K and the salary of c₂ (Betty) could be 61K, and therefore the answer to this first query does not compromise the security policy and can be safely released.

Suppose the user continues with the query:

Select Age, Salary from Personnel where Age=28

which returns the single tuple (28, 50K). A new constant symbol c₃ can be introduced and τ can be updated to map c₃ to u₁. The existential closure of this answer is simply the conjunction of (=(age c3) 28) and (=(salary c3) 50). Since at this point there are previously introduced constants (c₁ and c₂), we need to compute and assert the universal closure of this answer. This closure is the conjunction of age(c _(i))=28

c ₁ =c ₃

for i=1, 2. At this point, we are ready to try to find a model for the predicate Ψ(x,y) that we defined above. This time, however, the model finder reports that the current context is unsatisfiable. Thus, the answer would be withheld or suppressed and the assertions would be retracted due to the second query and we would continue with the top-level loop.

Note that it is not necessary for the algorithm to completely withhold or suppress a query answer when a leak is detected. The answer could also be appropriately modified (e.g., generalized). The logical content of the new answer would then be extracted and added to Γ′ for the next iteration (see FIG. 1)

Various aspects of the present disclosure may be embodied as a program, software, or computer instructions embodied or stored in a computer or machine usable or readable medium, which causes the computer or machine to perform the steps of the method when executed on the computer, processor, and/or machine. A program storage device readable by a machine, e.g., a computer readable medium, tangibly embodying a program of instructions executable by the machine to perform various functionalities and methods described in the present disclosure is also provided.

The system and method of the present disclosure may be implemented and run on a general-purpose computer or special-purpose computer system. The computer system may be any type of known or will be known systems and may typically include a processor, memory device, a storage device, input/output devices, internal buses, and/or a communications interface for communicating with other computer systems in conjunction with communication hardware and software, etc. The system also may be implemented on a virtual computer system, colloquially known as a cloud.

The computer readable medium could be a computer readable storage medium or a computer readable signal medium. Regarding a computer readable storage medium, it may be, for example, a magnetic, optical, electronic, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing; however, the computer readable storage medium is not limited to these examples. Additional particular examples of the computer readable storage medium can include: a portable computer diskette, a hard disk, a magnetic storage device, a portable compact disc read-only memory (CD-ROM), a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an electrical connection having one or more wires, an optical fiber, an optical storage device, or any appropriate combination of the foregoing; however, the computer readable storage medium is also not limited to these examples. Any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device could be a computer readable storage medium.

The terms “computer system” and “computer network” as may be used in the present application may include a variety of combinations of fixed and/or portable computer hardware, software, peripherals, and storage devices. The computer system may include a plurality of individual components that are networked or otherwise linked to perform collaboratively, or may include one or more stand-alone components. The hardware and software components of the computer system of the present application may include and may be included within fixed and portable devices such as desktop, laptop, and/or server, and network of servers (cloud). A module may be a component of a device, software, program, or system that implements some “functionality”, which can be embodied as software, hardware, firmware, electronic circuitry, or etc.

The embodiments described above are illustrative examples and it should not be construed that the present invention is limited to these particular embodiments. Thus, various changes and modifications may be effected by one skilled in the art without departing from the spirit or scope of the invention as defined in the appended claims. 

What is claimed is:
 1. A method for secure data management, comprising steps of receiving a query; performing the query and obtaining an answer to the query; creating a formula representing the answer; determining whether a minimum number of distinct models exist, the distinct models being models of the formula conjoined with relevant anonymity predicates, previous answers and background knowledge in accordance with anonymity signatures; and when the minimum number of distinct models do not exist, suppressing the answer.
 2. The method according to claim 1, further comprising steps of: creating formula encoding the information conveyed by the answer; and combining the formula encoding the information with prior information.
 3. A system for secure data management, comprising: a CPU; a module operable on the CPU, the module operable to receive a query, perform the query and obtain an answer to the query, create a formula representing the answer, determine whether a minimum number of distinct models exist, the distinct models being models of the formula conjoined with relevant anonymity predicates, previous answers and background knowledge in accordance with anonymity signatures; and when the minimum number of distinct models do not exist, suppress the answer.
 4. The system according to claim 3, the module further operable to create formula encoding the information conveyed by the answer and combine the formula encoding the information with prior information.
 5. The system according to claim 3, further comprising an input device operable to send a query to the CPU and an output device operable to display the answers from the CPU.
 6. A computer readable storage medium storing a program of instructions executable by a machine to perform a method for secure data management, comprising steps of receiving a query; performing the query and obtaining an answer to the query; creating a formula representing the answer; determining whether a minimum number of distinct models exist, the distinct models being models of the formula conjoined with relevant anonymity predicates, previous answers and background knowledge in accordance with anonymity signatures; and when the minimum number of distinct models do not exist, suppressing the answer.
 7. The computer readable storage medium according to claim 6, further comprising: creating formula encoding the information conveyed by the answer; and combining the formula encoding the information with prior information. 